[NEEDS TRANSLATION] Data Processing Agreement

[NEEDS TRANSLATION] 1. Subject Matter and Duration

[NEEDS TRANSLATION] The subject matter of the processing is the provision of the WaiverKit digital waiver platform to the Controller. Processing continues for as long as the Controller maintains an active account and for any applicable post-termination retention period described in Section 11.

[NEEDS TRANSLATION] 2. Nature and Purpose of Processing

[NEEDS TRANSLATION] The Processor processes personal data solely to host, deliver, secure, and support the WaiverKit service: collecting and storing signed waivers, generating PDF records, sending transactional emails, authenticating users, processing payments, and producing analytics on behalf of the Controller.

[NEEDS TRANSLATION] 3. Types of Personal Data and Categories of Data Subjects

[NEEDS TRANSLATION] Personal data processed may include:

• [NEEDS TRANSLATION] Signer identity data (name, date of birth, address, email, phone)
• [NEEDS TRANSLATION] Signature images and typed signatures
• [NEEDS TRANSLATION] Guardian data for minor signers
• [NEEDS TRANSLATION] Business user account data (name, email, authentication identifiers, IP address)

[NEEDS TRANSLATION] Categories of data subjects include: participants signing waivers, guardians of minor participants, and employees or authorized users of the Controller.

[NEEDS TRANSLATION] 4. Obligations and Rights of the Controller

[NEEDS TRANSLATION] The Controller is responsible for the lawfulness of the collection and processing of personal data, for obtaining any necessary consents from data subjects, for the accuracy of instructions given to the Processor, and for ensuring that the waiver templates and workflows it configures comply with applicable law. The Controller retains all rights in the personal data and may issue documented instructions to the Processor at any time.

[NEEDS TRANSLATION] 5. Sub-processors

[NEEDS TRANSLATION] The Controller authorizes the Processor to engage the following sub-processors to deliver the service:

• Clerk [NEEDS TRANSLATION] (authentication, session management, and user directory).
• Stripe [NEEDS TRANSLATION] (payment processing and subscription billing).
• Resend [NEEDS TRANSLATION] (transactional email delivery).
• Cloudflare R2 [NEEDS TRANSLATION] (object storage for signature images and PDF artifacts).
• Vercel [NEEDS TRANSLATION] (application hosting, edge network, and request routing).
• Neon (Postgres) [NEEDS TRANSLATION] (managed Postgres database hosting for structured data).

[NEEDS TRANSLATION] The Processor will notify the Controller of any intended addition or replacement of sub-processors with a reasonable opportunity to object on legitimate grounds.

[NEEDS TRANSLATION] 6. Security Measures

[NEEDS TRANSLATION] The Processor implements appropriate technical and organizational measures to protect personal data, including:

• [NEEDS TRANSLATION] Encryption in transit (TLS 1.2+) and at rest for database and object storage
• [NEEDS TRANSLATION] Role-based access controls and least-privilege IAM across infrastructure
• [NEEDS TRANSLATION] Tenant isolation enforced at the application and query layer
• [NEEDS TRANSLATION] Audit logging of administrative actions and PII access
• [NEEDS TRANSLATION] Regular backups, automated dependency scanning, and incident response procedures

[NEEDS TRANSLATION] 7. Data Subject Rights

[NEEDS TRANSLATION] Taking into account the nature of the processing, the Processor will assist the Controller by appropriate technical and organizational measures to fulfil the Controller's obligation to respond to requests from data subjects exercising their rights of access, rectification, erasure, restriction, portability, and objection under GDPR Articles 15 to 22.

[NEEDS TRANSLATION] 8. Data Breach Notification

[NEEDS TRANSLATION] The Processor will notify the Controller without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting the Controller's data. The notification will describe the nature of the breach, likely consequences, measures taken or proposed, and a point of contact for further information.

[NEEDS TRANSLATION] 9. International Transfers

[NEEDS TRANSLATION] Where personal data is transferred outside the European Economic Area, the United Kingdom, or Switzerland to a country without an adequacy decision, such transfers are governed by the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum and the Swiss addendum, together with any supplementary measures required by the transfer impact assessment.

[NEEDS TRANSLATION] 10. Audit Rights

[NEEDS TRANSLATION] The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable confidentiality obligations and no more than once per calendar year except in the case of a documented security incident or regulatory request.

[NEEDS TRANSLATION] 11. Termination, Return, and Deletion

[NEEDS TRANSLATION] Upon termination of the agreement, the Processor will, at the Controller's choice, delete or return all personal data processed on behalf of the Controller, and delete existing copies, unless applicable law requires continued storage. Backups containing personal data will be deleted in the ordinary course of the backup retention cycle.